A little more detail: Our integration is only for our company, not for our users. We have a system that captures client details that we want to synchronize to HubSpot to ensure we have the same data in both systems. All of the synchronization should happen behind-the-scenes through API calls.

The gist is that we want to authorize our external app, not our individual users. So how do we get an authorization token without the redirect_uri parameter? Can we generate it with the secret on our own using OAuth libraries?

Since this call would have to be made on the front-end using JavaScript (I assume) instead of the back-end, like most of the other parts of our integration, wouldn't using the hapi key for that be a security risk?

Are there ways to identify a visitor that wouldn't involve exposing the hapi key?

@Jacob - when using the 'identify visitor' call of the Tracking Code API, you don't need to make an authenticated call. This JS function is consumed by the HubSpot Tracking Code (so, the JS tracking code needs to be on the page if using the JS identify call). It's a way of connecting the browser cookie set by the tracking code to a specific contact, as known by their email address.